From Policy to Process: Best Practices for Creating an Open Source Governance Process

FOSSBazaar is no longer being updated. The information on this site is preserved for your convenience but may be out of date. Please visit Linux Foundation's Open Compliance Program for current information and activities.

Wazi's picture
The excerpt below is from an article by Ragavan Srinivasan that originally appeared on Wazi, a clearinghouse for the timeliest thinking on open source software.


These days, practically every company out there is involved with free and open source software (FOSS) in one way or another, but don't be fooled by the use of the words "free" and "open": FOSS still needs to be managed just like any other third-party software. The ways in which it enters your company, what it can be used for, how it impacts your daily operations — these processes need to be tracked, organized, and streamlined.
Creating an open source policy manual is the first step companies typically take to help manage the use and adoption of FOSS, and this is usually followed by setting up the right governance processes to help implement the policies. Companies often struggle with several questions they need to answer in establishing these processes. This article will help you identify some of the common questions and factors to consider when setting up an open source governance process. We'll also provide practical tips on some of these areas based on what organizations have done in the real world.
Please note that this article builds heavily on Stormy Peters' excellent guide: Best Practices for Creating an Open Source Policy. If you haven't already done so, be sure to read that article before proceeding any further.

Why Do You Need An Open Source Governance Process?

There's hardly a company today that does not interact with FOSS to some degree. These interactions range anywhere from using FOSS as part of their internal IT infrastructure, to distributing it as part of a product they sell. Some of these interactions may even be unintentional. For example, a company may buy third-party software that incorporates FOSS components.
FOSS can enter a company through many channels, most (if not all) of which may not be set up to track its flow through the organization. While many consider this non-traditional fluidity one of the key benefits of FOSS, it does pose certain challenges in today’s world of corporate accountability. In fact, tracking FOSS in your company usually goes beyond the well understood need for audits and compliance. Information collected as part of FOSS governance can be an invaluable tool in making strategic decisions and is often used as a competitive advantage.
A well designed open source governance process can help your company:
  • Track the various FOSS projects (and associated licenses) that are currently being used in your organization.
  • Identify all the areas that have a key relationship with FOSS and the nature of that relationship (consumer, participant, maintainer, etc.)
  • Establish a direct communication channel to all of the key stakeholders for any timely updates related to FOSS (e.g., upcoming license change of a FOSS package you depend on).
  • Integrate FOSS reviews into your regular corporate work flow so nothing falls through the cracks.
  • Cultivate mutually beneficial relationships with FOSS projects and communities that are important to your company.
  • Relax. While an open source governance process won’t pay for your vacation, it will certainly help provide the peace of mind that comes with knowing your organization is well equipped to maximize FOSS benefits while minimizing risk.

It is also key to understand that there are a lot of variables that will influence your choices in each of the sections outlined below. These variables include:
Organizational maturity: Whether your company is a 20 person start-up or a 200,000 person enterprise will have a strong impact on all aspects of your FOSS governance process.
Primary business: FOSS, in the context of this discussion, is a key part of your technology arsenal. If your primary business is in the technology space, FOSS could have an undeniable role in your strategy. On the other hand, if your company relies on others to provide technology expertise, you may also need to procure FOSS expertise from similar external providers.
Existing processes (procurement, product/service releases, public relations, etc.): FOSS will affect all aspects of your organization. In some cases you may need to augment existing processes, while in others you may need completely new ones.
Organizational culture: Your FOSS governance process will need to fit in with your existing organizational culture in order for it to succeed. For example, this could mean deciding between a heavyweight process that is very structured and implemented top-down, a lightweight process that is more informal and driven organically from the bottom up, or some hybrid of the two. Organizational culture is intangible and can be difficult to incorporate in governance processes, but it can make the difference between a process that struggles for adoption and one that becomes a great success.
Keep these variables in mind as you read through the sections below, and while planning and designing your FOSS governance process....
Continue reading Best Practices for Creating an Open Source Governance Process »